SonicOS 7.0 Rules and Policies for Policy mode

Settings > Decryption (DPI-SSL)
Table of Contents

Decryption (DPI-SSL)

The Decryption (DPI-SSL) page provides a list of inspection types available. In the General tab, you can configure settings for:

The configure the desired inspection type

  1. Navigate to POLICY | Rules and Policies > Settings > Decryption (DPI-SSL) | General.

    SSL Client Inspection

    These settings function in conjunction with your Decryption Policies. For example, when "Enable SSL Client Inspection" is disabled, then all the Client-side SSL Decryption rules are inactive.

    Enable SSL Client Inspection Click to enable SSL Client Inspection.
    Always authenticate server for decrypted connections When enabled for decrypted/intercepted connections, DPI-SSL: Blocks connections to sites with untrusted certificates. Blocks connections when the domain name in the Client Hello cannot be validated against the Server Certificate for this connection.
    Deployments wherein the firewall sees a single server IP for different server domains, such as a Proxy setup When disabled, use of a server IP address-based dynamic cache is marked for exclusion.
    Allow SSL without decryption (bypass) when connection limit exceeded When enabled, allows SSL to proceed without decryption (bypass) when exceeding the connection limit. By default, new connections are dropped when the connection exceeds the limit.
    Audit new default exclusion domain names prior to being added for exclusion Audits new built-in exclusion domain names prior to being added for exclusion.
    Always authenticate server before applying exclusion policy When enabled for excluded connections, DPI-SSL: Blocks connections to sites with untrusted certificates. Blocks connections when the domain name in the Client Hello cannot be validated against the Server Certificate for this connection.

    SSL Server Inspection

    These settings function in conjunction with your Decryption Policies. For example, when "Enable SSL Server Inspection" is disabled, then all the server-side SSL Inspection rules are inactive.

    Enable SSL Server Inspection Click to enable SSL Server Inspection.

  2. Click Accept.